FortiGuard Web Filtering Service

FortiGuard Web Filtering Service

FortiGuard Web Filter is a managed web filtering solution available by subscription from Fortinet. FortiGuard Web Filter enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filter Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface.

FortiGuard Web Filter includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

FortiGuard Web Filter ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filter Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.

Before you begin to use the FortiGuard Web Filter options you should verify that you have a valid subscription to the service for your FortiGate firewall.

 

FortiGuard Web Filter and your FortiGate unit

When FortiGuard Web Filter is enabled in a web filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

 

FortiGuard Web Filter Actions

The Possible Actions are:

  • Allow permits access to the sites within the category.
  • Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.
  • Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
  • Warning presents the user with a message, allowing them to continue if they choose.
  • Authenticate requires a user authenticate with the FortiGate unit before being allowed access to the category or category group.
  • Disable prevents that category, and all sub-categories, from inspection. This permits access to the sites within the category.

 

The choices of actions available will depend on the mode of inspection.

  • Proxy – Allow, Block, Monitor, Warning, Authenticate and Disable.
  • Flow-based – Allow, Block & Monitor.
  • DNS – Allow, Block & Monitor.

 

 

FortiGuard Web Filtering categories

The following tables identify each web filtering category (organized by group) along with associated category IDs. For a complete description of each web filtering category, visit http://www.fortiguard.com/webfilter.

 

Potentially Liable

 

ID Category   ID Category
 

1

 

Drug Abuse

   

12

 

Extremist Groups

 

3

 

Hacking

   

59

 

Proxy Avoidance

 

4

 

Illegal or Unethical

   

62

 

Plagiarism

 

5

 

Discrimination

   

83

 

Child Abuse

 

6

 

Explicit Violence

     
 

Adult/Mature Content

ID Category   ID Category
 

2

 

Alternative Beliefs

   

16

 

Weapons (Sales)

 

7

 

Abortion

   

57

 

Marijuana

 

8

 

Other Adult Materials

   

63

 

Sex Education

 

9

 

Advocacy Organizations

   

64

 

Alcohol

 

11

 

Gambling

   

65

 

Tobacco

 

13

 

Nudity and Risque

   

66

 

Lingerie and Swimsuit

 

14

 

Pornography

   

67

 

Sports Hunting and War Games

 

15

 

Dating

     
 

Bandwidth Consuming

ID Category   ID Category
 

19

 

Freeware and Software Downloads

   

72

 

Peer-to-peer File Sharing

 

24

 

File Sharing and Storage

   

75

 

Internet Radio and TV

 

25

 

Streaming Media and Download

   

76

 

Internet Telephony

 

Security Risk

ID Category   ID Category
 

26

 

Malicious Websites

   

86

 

Spam URLs

 

61

 

Phishing

   

88

 

Dynamic DNS

 

General Interest – Personal

ID Category   ID Category
 

17

 

Advertising

   

47

 

Travel

 

18

 

Brokerage and Trading

   

48

 

Personal Vehicles

 

20

 

Games

   

54

 

Dynamic Content

 

23

 

Web-based Email

   

55

 

Meaningless Content

 

28

 

Entertainment

   

58

 

Folklore

 

29

 

Arts and Culture

   

68

 

Web Chat

 

30

 

Education

   

69

 

Instant Messaging

 

33

 

Health and Wellness

   

70

 

Newsgroups and Message Boards

 

34

 

Job Search

   

71

 

Digital Postcards

 

35

 

Medicine

   

77

 

Child Education

 

36

 

News and Media

   

78

 

Real Estate

 

37

 

Social Networking

   

79

 

Restaurant and Dining

 

38

 

Political Organizations

   

80

 

Personal Websites and Blogs

 

39

 

Reference

   

82

 

Content Servers

 

40

 

Global Religion

   

85

 

Domain Parking

 

42

 

Shopping

   

87

 

Personal Privacy

 

44

 

Society and Lifestyles

   

89

 

Auction

 

46

 

Sports

     

 

General Interest – Business

ID Category   ID Category
 

31

 

Finance and Banking

   

52

 

Information Technology

 

41

 

Search Engines and Portals

   

53

 

Armed Forces

 

43

 

General Organizations

   

56

 

Web Hosting

 

49

 

Business

   

81

 

Secure Websites

 

50

 

Information and Computer Security

   

84

 

Web-based Applications

 

51

 

Government and Legal Organizations

     

 

FortiGuard Web Filter usage quotas

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily timed access quota by category, category group, or classification. Quotas allow access for a specified length of time, calculated separately for each user. Quotas are reset every day at midnight.

Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.

The use of FortiGuard Web Filter quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authen- tication is not required.

Editing the web filter profile resets the quota timers for all users.

When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.

 

Quota hierarchy

You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.

When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:

1. Category

2. Category group

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “FortiGuard Web Filtering Service

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.